×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA5510 dynamic VPN from RV042

Answered Question
Feb 24th, 2012
User Badges:

So far I have a complete phase 1, and an almost complete phase 2, but one thing I can't figure out. I see this in the debug.


peer is not authenticated by xauth - drop connection.


I get it right after the proxy is setup.


Here is my config


group-policy DefaultRAGroup attributes

vpn-idle-timeout none

vpn-tunnel-protocol ikev1 l2tp-ipsec

password-storage enable

nem enable

tunnel-group DefaultRAGroup general-attributes

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

ikev1 user-authentication none


I have tried many different configurations on both sides, but they all fail with the same error of peer not authenticated by xauth.

Correct Answer by Jason Gervia about 5 years 5 months ago

Don't use DefaultRAGroup  - I think that means you it will automatically try to build a user VPN rather than a dynamic L2L.


Change the pre-shared key on the DefaultRAGroup to be something else (so it doesn't match what the other side is sending).  Put all the config you have for DefaultRAGroup tunnel-groupp and group-policy on DefaultL2LGroup tunnel-group and group-policy instead. 


Usually the DefaultRAGroup is a 'remote-access' type which doesn't mean L2L.  DefaultL2LGroup should hopefully fix it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jason Gervia Fri, 02/24/2012 - 12:31
User Badges:
  • Cisco Employee,

Hmmm, it looks like you have xauth turned off (ikev1 user-authentication none) - can you turn on debugs (debug crypto isakmp 127) when you try to connect and post those?


--Jason

tahequivoice Fri, 02/24/2012 - 12:37
User Badges:

I have tried it with it on, with it off and always the same thing comes back. 


Here is aaa common 50 debug


Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY_DB)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server:

AAA FSM: In AAA_SendMsg

User: DefaultRAGroup

Resp:

grp_policy_ioctl(0x0a250e40, 114698, 0xa9372788)

grp_policy_ioctl: Looking up DefaultRAGroup

callback_aaa_task: status = 1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 114, pAcb = 0xadae6da0

AAA task: aaa_process_msg(0xa9373220) received message type 1

AAA FSM: In AAA_ProcSvrResp


Back End response:

------------------

Tunnel Group Policy Status: 1 (ACCEPT)


AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT

AAA_NextFunction: New i_fsm_state = IFSM_DONE,

AAA FSM: In AAA_ProcessFinal

AAA FSM: In AAA_Callback

user attributes:

  1     User-Name(1)     14    "DefaultRAGroup"

  2     User-Password(2)      0    0xae048023   ** Unresolved Attribute **


user policy attributes:

None


tunnel policy attributes:

  1     Idle-Timeout(28)      4    0

  2     Tunnelling-Protocol(4107)      4    12

  3     Store-PW(4112)      4    1

  4     Group-Policy(4121)     14    "DefaultRAGroup"

  5     Network-Extension-Mode-Allowed(4160)      4    1


AAA API: In aaa_close

AAA API: In aaa_send_acct_start

AAA task: aaa_process_msg(0xa9373220) received message type 3

In aaai_close_session (114)

AAA API: In aaa_open

AAA session opened: handle = 115

AAA API: In aaa_process_async

aaa_process_async: sending AAA_MSG_PROCESS

AAA task: aaa_process_msg(0xa9373220) received message type 0

AAA FSM: In AAA_StartAAATransaction

AAA FSM: In AAA_InitTransaction

aaai_policy_name_to_server_id(DefaultRAGroup)

Got server ID 0 for group policy DB



and isakmp 127 with the relevant information. Up to this point it passes.


Feb 24 14:27:54 [IKEv1 DECODE]Group = DefaultRAGroup, IP = x.x.x.x, ID_IPV4_ADDR_SUBNET ID received--10.253.20.0--255.255.255.0

Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, Received remote IP Proxy Subnet data in ID Payload:   Address 10.253.20.0, Mask 255.255.255.0, Protocol 0, Port 0

Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, processing ID payload

Feb 24 14:27:54 [IKEv1 DECODE]Group = DefaultRAGroup, IP = x.x.x.x, ID_IPV4_ADDR ID received

66.252.79.16

Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x., Received local Proxy Host data in ID Payload:  Address x.x.x.x, Protocol 0, Port 0

Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, peer is not authenticated by xauth - drop connection.

Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, QM FSM error (P2 struct &0xace21cd8, mess id 0xb4d2530a)!

Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, IKE QM Responder FSM error history (struct &0xace21cd8)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent

Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, sending delete/delete with reason message

rizwanr74 Fri, 02/24/2012 - 12:40
User Badges:
  • Gold, 750 points or more

Dynamic L2L VPN running on ASA or RV042, which is hub or which is spoke ?



Please post your config on the forum, for easier trouble shoot.


thanks

tahequivoice Fri, 02/24/2012 - 12:44
User Badges:

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set L2TP-Droid esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set L2TP-Droid mode transport

crypto ipsec ikev1 transform-set EZVPN esp-aes-256 esp-sha-hmac

crypto dynamic-map L2TP 10 set ikev1 transform-set L2TP-Droid ESP-AES-256-MD5 EZVPN

crypto map VPN 20 ipsec-isakmp dynamic L2TP

crypto map VPN interface outside


crypto isakmp nat-traversal 3600

crypto ikev1 enable outside

crypto ikev1 policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 15

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 20

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 25

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

vpn-idle-timeout none

vpn-tunnel-protocol ikev1 l2tp-ipsec

password-storage enable

nem enable


tunnel-group DefaultRAGroup general-attributes

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

ikev1 user-authentication none



EZVPN, L2L VPN WebVPN(anyconnect) and Client VPN do work, as well as the L2TP droid VPN

baiyunhu75 Tue, 05/29/2012 - 12:39
User Badges:

could you give the config of rv042 and ASA5510 now ,i have the config like you but could not ! what your asa and rv042 ver ?

Correct Answer
Jason Gervia Fri, 02/24/2012 - 12:50
User Badges:
  • Cisco Employee,

Don't use DefaultRAGroup  - I think that means you it will automatically try to build a user VPN rather than a dynamic L2L.


Change the pre-shared key on the DefaultRAGroup to be something else (so it doesn't match what the other side is sending).  Put all the config you have for DefaultRAGroup tunnel-groupp and group-policy on DefaultL2LGroup tunnel-group and group-policy instead. 


Usually the DefaultRAGroup is a 'remote-access' type which doesn't mean L2L.  DefaultL2LGroup should hopefully fix it.

tahequivoice Fri, 02/24/2012 - 13:17
User Badges:

Jason, You are the MAN!  Worked like a charm. Once I got the keys straight it came right up and I was able to route into the network.

Actions

This Discussion